mirror of
https://github.com/ARM-software/arm-trusted-firmware.git
synced 2025-04-17 10:04:26 +00:00
446354122c
Arm Confidential Compute Architecture (Arm CCA) support, underpinned by Arm Realm Management Extension (RME) support, brings in a few important software and hardware architectural changes in TF-A, which warrants a new security analysis of the code base. Results of this analysis are captured in a new threat model document, provided in this patch. The main changes introduced in TF-A to support Arm CCA / RME are: - Presence of a new threat agent: realm world clients. - Availability of Arm CCA Hardware Enforced Security (HES) to support measured boot and trusted boot. - Configuration of the Granule Protection Tables (GPT) for inter-world memory protection. This is only an initial version of the threat model and we expect to enrich it in the future. Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com> Co-authored-by: Manish Pandey <manish.pandey2@arm.com> Change-Id: Iab84dc724df694511508f90dc76b6d469c4cccd5
225 lines
12 KiB
ReStructuredText
225 lines
12 KiB
ReStructuredText
Threat Model for TF-A with Arm CCA support
|
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
|
|
Introduction
|
|
************
|
|
|
|
This document provides a threat model of TF-A firmware for platforms with Arm
|
|
Realm Management Extension (RME) support which implement Arm Confidential
|
|
Compute Architecture (Arm CCA).
|
|
|
|
Although it is a separate document, it references the :ref:`Generic Threat
|
|
Model` in a number of places, as some of the contents is commonly applicable to
|
|
TF-A with or without Arm CCA support.
|
|
|
|
Target of Evaluation
|
|
********************
|
|
|
|
In this threat model, the target of evaluation is the Trusted Firmware for
|
|
A-class Processors (TF-A) with RME support and Arm CCA support. This includes
|
|
the boot ROM (BL1), the trusted boot firmware (BL2) and the runtime EL3 firmware
|
|
(BL31).
|
|
|
|
Assumptions
|
|
===========
|
|
|
|
We make the following assumptions:
|
|
|
|
- :ref:`Realm Management Extension (RME)` is enabled on the platform.
|
|
|
|
- Arm CCA Hardware Enforced Security (HES) is available on the platform, as
|
|
recommended by `Arm CCA security model`_:
|
|
|
|
*[R0004] Arm strongly recommends that all implementations of CCA utilize*
|
|
*hardware enforced security (CCA HES).*
|
|
|
|
- All TF-A images run from on-chip memory. Data used by these images also live
|
|
in on-chip memory. This means TF-A is not vulnerable to an attacker that can
|
|
probe or tamper with off-chip memory.
|
|
|
|
These are requirements of the `Arm CCA security model`_:
|
|
|
|
*[R0147] Monitor code executes entirely from on-chip memory.*
|
|
|
|
*[R0149] Any monitor data that may affect the CCA security guarantee, other*
|
|
*than GPT, is either held in on-chip memory, or in external memory but with*
|
|
*additional integrity protection.*
|
|
|
|
Note that this threat model hardens *[R0149]* requirement by forbidding to
|
|
hold data in external memory, even if it is integrity-protected - except for
|
|
GPT data.
|
|
|
|
- TF-A BL1 image is immutable and thus implicitly trusted. It runs from
|
|
read-only memory or write-protected memory. This could be on-chip ROM, on-chip
|
|
OTP, locked on-chip flash, or write-protected on-chip RAM for example.
|
|
|
|
This is a requirement of the `Arm CCA security model`_:
|
|
|
|
*[R0158] Arm recommends that all initial boot code is immutable on a*
|
|
*secured system.*
|
|
|
|
*[R0050] If all or part of initial boot code is instantiated in on-chip*
|
|
*memory then other trusted subsystems or application PE cannot modify that*
|
|
*code before it has been executed.*
|
|
|
|
- Trusted boot and measured boot are enabled. This means an attacker can't boot
|
|
arbitrary images that are not approved by platform providers.
|
|
|
|
These are requirements of the `Arm CCA security model`_:
|
|
|
|
*[R0048] A secured system can only load authorized CCA firmware.*
|
|
|
|
*[R0079] All Monitor firmware loaded by PE initial boot is measured and*
|
|
*verified as outlined in Verified boot.*
|
|
|
|
- No experimental features are enabled. These are typically incomplete features,
|
|
which need more time to stabilize. Thus, we do not consider threats that may
|
|
come from them. It is not recommended to use these features in production
|
|
builds.
|
|
|
|
Data Flow Diagram
|
|
=================
|
|
|
|
Figure 1 shows a high-level data flow diagram for TF-A. The diagram shows a
|
|
model of the different components of a TF-A-based system and their interactions
|
|
with TF-A. A description of each diagram element is given on Table 1. On the
|
|
diagram, the red broken lines indicate trust boundaries. Components outside of
|
|
the broken lines are considered untrusted by TF-A.
|
|
|
|
.. uml:: ../resources/diagrams/plantuml/tfa_arm_cca_dfd.puml
|
|
:caption: Figure 1: Data Flow Diagram
|
|
|
|
.. table:: Table 1: Data Flow Diagram Description
|
|
|
|
+-----------------+--------------------------------------------------------+
|
|
| Diagram Element | Description |
|
|
+=================+========================================================+
|
|
| DF1 | | Refer to DF1 description in the |
|
|
| | :ref:`Generic Threat Model`. Additionally TF-A |
|
|
| | loads realm images. |
|
|
+-----------------+--------------------------------------------------------+
|
|
| DF2-DF6 | | Refer to DF2-DF6 descriptions in the |
|
|
| | :ref:`Generic Threat Model`. |
|
|
+-----------------+--------------------------------------------------------+
|
|
| DF7 | | Boot images interact with Arm CCA HES to record boot |
|
|
| | measurements and retrieve data used for AP images |
|
|
| | authentication. |
|
|
| | |
|
|
| | | The runtime firmware interacts with Arm CCA HES to |
|
|
| | obtain sensitive attestation data for the realm |
|
|
| | world. |
|
|
+-----------------+--------------------------------------------------------+
|
|
| DF8 | | Realm world software (e.g. TF-RMM) interact with |
|
|
| | TF-A through SMC call interface and/or shared |
|
|
| | memory. |
|
|
+-----------------+--------------------------------------------------------+
|
|
|
|
Threat Analysis
|
|
***************
|
|
|
|
In this threat model, we use the same method to analyse threats as in the
|
|
:ref:`Generic Threat Model`. This section only points out differences where
|
|
applicable.
|
|
|
|
- There is an additional threat agent: *RealmCode*. It takes the form of
|
|
malicious or faulty code running in the realm world, including R-EL2, R-EL1
|
|
and R-EL0 levels.
|
|
|
|
- At this time we only consider the ``Server`` target environment. New threats
|
|
identified in this threat model will only be given a risk rating for this
|
|
environment. Other environments may be added in a future revision
|
|
|
|
Threat Assessment
|
|
=================
|
|
|
|
General Threats for All Firmware Images
|
|
---------------------------------------
|
|
|
|
The following table analyses the :ref:`General Threats` in the context of this
|
|
threat model. Only deltas are pointed out.
|
|
|
|
+----+-------------+-------------------------------------------------------+
|
|
| ID | Applicable? | Comments |
|
|
+====+=============+=======================================================+
|
|
| 05 | Yes | |
|
|
+----+-------------+-------------------------------------------------------+
|
|
| 06 | Yes | |
|
|
+----+-------------+-------------------------------------------------------+
|
|
| 08 | Yes | Additional diagram element: DF8. |
|
|
| | | |
|
|
| | | Additional threat agent: RealmCode. |
|
|
+----+-------------+-------------------------------------------------------+
|
|
| 11 | Yes | | Misconfiguration of the Memory Management Unit |
|
|
| | | (MMU) may allow a **normal/secure/realm** world |
|
|
| | | software to access sensitive data, execute arbitrary|
|
|
| | | code or access otherwise restricted HW interface. |
|
|
| | | |
|
|
| | | | **Note that on RME systems, MMU configuration also |
|
|
| | | includes Granule Protection Tables (GPT) setup.** |
|
|
| | | |
|
|
| | | | Additional diagram elements: DF4, DF7, DF8. |
|
|
| | | |
|
|
| | | | Additional threat agents: SecCode, RealmCode. |
|
|
+----+-------------+-------------------------------------------------------+
|
|
| 13 | Yes | Additional diagram element: DF8. |
|
|
| | | |
|
|
| | | Additional threat agent: RealmCode. |
|
|
+----+-------------+-------------------------------------------------------+
|
|
| 15 | Yes | Additional diagram element: DF8. |
|
|
| | | |
|
|
| | | Additional threat agent: RealmCode. |
|
|
+----+-------------+-------------------------------------------------------+
|
|
|
|
Threats to be Mitigated by the Boot Firmware
|
|
--------------------------------------------
|
|
|
|
The following table analyses the :ref:`Boot Firmware Threats` in the context of
|
|
this threat model. Only deltas are pointed out.
|
|
|
|
+----+-------------+-------------------------------------------------------+
|
|
| ID | Applicable? | Comments |
|
|
+====+=============+=======================================================+
|
|
| 01 | Yes | Additional diagram element: DF8. |
|
|
| | | |
|
|
| | | Additional threat agent: RealmCode. |
|
|
+----+-------------+-------------------------------------------------------+
|
|
| 02 | Yes | Additional diagram element: DF8. |
|
|
| | | |
|
|
| | | Additional threat agent: RealmCode. |
|
|
+----+-------------+-------------------------------------------------------+
|
|
| 03 | Yes | |
|
|
+----+-------------+-------------------------------------------------------+
|
|
| 04 | Yes | |
|
|
+----+-------------+-------------------------------------------------------+
|
|
|
|
Threats to be Mitigated by the Runtime EL3 Firmware
|
|
---------------------------------------------------
|
|
|
|
The following table analyses the :ref:`Runtime Firmware Threats` in the context
|
|
of this threat model. Only deltas are pointed out.
|
|
|
|
+----+-------------+-------------------------------------------------------+
|
|
| ID | Applicable? | Comments |
|
|
+====+=============+=======================================================+
|
|
| 07 | Yes | Additional diagram element: DF8. |
|
|
| | | |
|
|
| | | Additional threat agent: RealmCode. |
|
|
+----+-------------+-------------------------------------------------------+
|
|
| 09 | Yes | Additional diagram element: DF8. |
|
|
| | | |
|
|
| | | Additional threat agent: RealmCode. |
|
|
+----+-------------+-------------------------------------------------------+
|
|
| 10 | Yes | Additional diagram element: DF8. |
|
|
| | | |
|
|
| | | Additional threat agent: RealmCode. |
|
|
+----+-------------+-------------------------------------------------------+
|
|
| 12 | Yes | Additional diagram element: DF8. |
|
|
| | | |
|
|
| | | Additional threat agent: RealmCode. |
|
|
+----+-------------+-------------------------------------------------------+
|
|
| 14 | Yes | |
|
|
+----+-------------+-------------------------------------------------------+
|
|
|
|
*Copyright (c) 2023, Arm Limited. All rights reserved.*
|
|
|
|
.. _Arm CCA Security Model: https://developer.arm.com/documentation/DEN0096/A_a
|